feat(*): automate policy generation

[lobkovilya]

Summary

Introduce protoc-gen-kumapolicy and the number of Makefile targets to generate the following resources:

• OpenAPI endpoints
• OpenAPI schema
• CRD
• Resource object for core model
• Resource object for k8s
• Deepcopy both for proto and k8s resource

Issues resolved

N/A

Documentation

• Link to the website documentation PR

Testing

• Unit tests
• E2E tests
• Manual testing on Universal
• Manual testing on Kubernetes

Backwards compatibility

- [ ] Update UPGRADE.md with any steps users will need to take when upgrading.
- [ ] Add backport-to-stable label if the code follows our backporting policy

[codecov-commenter]

Codecov Report

Merging #4197 (8c43d35) into master (b7e42f8) will decrease coverage by 0.17%.
The diff coverage is 0.88%.

@@            Coverage Diff             @@
##           master    #4197      +/-   ##
==========================================
- Coverage   55.82%   55.65%   -0.18%     
==========================================
  Files         931      938       +7     
  Lines       56485    56654     +169     
==========================================
- Hits        31534    31531       -3     
- Misses      22435    22606     +171     
- Partials     2516     2517       +1     

Impacted Files	Coverage Δ
api/mesh/options.pb.go	11.17% <0.00%> (-0.25%)	⬇️
app/kumactl/cmd/root.go	76.59% <ø> (ø)
pkg/plugins/bootstrap/k8s/scheme.go	20.00% <0.00%> (-3.08%)	⬇️
tools/policy-gen/protoc-gen-kumapolicy/crd.go	0.00% <0.00%> (ø)
tools/policy-gen/protoc-gen-kumapolicy/deepcopy.go	0.00% <0.00%> (ø)
tools/policy-gen/protoc-gen-kumapolicy/main.go	0.00% <0.00%> (ø)
tools/policy-gen/protoc-gen-kumapolicy/plugin.go	0.00% <0.00%> (ø)
tools/policy-gen/protoc-gen-kumapolicy/resource.go	0.00% <0.00%> (ø)
tools/resource-gen/genutils/util.go	0.00% <0.00%> (ø)
tools/resource-gen/main.go	0.00% <0.00%> (ø)
... and 10 more

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update b7e42f8...8c43d35. Read the comment docs.

[michaelbeaumont]

maybe best just to link to the file

[michaelbeaumont]

May be my bash skills but this is an effort to read IMO, isn't ${VERSION} still expanded here since it's outside of the single quotes? Is this different from:

".spec.versions[] | select (.name == \"${VERSION}\") | .schema.openAPIV3Schema.properties.spec | del(.type) | del(.description)"

?

[lobkovilya]

I tried the option you proposed, but for some reason, it doesn't work. It just ignores escaping (debug mode output):

+ yq e '.spec.versions[] | select (.name == \"${VERSION}\") | .schema.openAPIV3Schema.properties.spec | del(.type) | del(.description)' pkg/plugins/policies/donothingpolicy/k8s/crd/kuma.io_donothingpolicies.yaml
+ yq eval-all -i '. as $item ireduce ({}; . * $item )' pkg/plugins/policies/donothingpolicy/api/v1alpha1/schema.yaml -
Error: parsing expression: Lexer error: could not match text starting at 1:37 failing at 1:38.
        unmatched text: "\\"

I can leave a comment about why we need "'":

• the first double quote is needed because yq select expects something like select (.name == "v1alpha1")
• single quote is required to close the first single quote
• now when we outside of single quotes we simply use bash expression "${VERSION}", that's why the last double quote is here

[michaelbeaumont]

Suggested change

	if [ "$(find "${POLICIES_CRD_DIR}" -type f | wc -l | xargs echo)" != 1 ]; then
	if [ "$(find "${POLICIES_CRD_DIR}" -type f | wc -l)" != 1 ]; then

Doesn't wc -l already return one line with one number?

[lobkovilya]

I don't know why but it's \t1 instead of just 1, I didn't find another way to get rid of the tab

[michaelbeaumont]

Dn't we already generate CRDs from Kuma resources? @parkanzky is that what you meant?

[lobkovilya]

Yes, we do in tools/resource-gen/main.go, but it doesn't make sense to reuse the template for 2 reasons:

• templates are different, because Spec fields are different
• we want to get rid of tools/resource-gen/main.go in the future because instead of accepting proto as an input, it imports all protos and generates resources for everything at once. It won't work well if you have proto files inside plugins directories

[lahabana]

This is a great start IMO.

Things that are missing (but can be done in a follow up PR):

• script to ease bootstrapping a new polciy
• way to combine all openAPI spec with a root one with the other apis
• how to actually do something with this polciy (hooks)
• did we agree of having CRDs namespace bound?
• did we agree on moving mesh to be a label and not a field?

[lahabana]

Would it be possible to nest the new endpoints under /policies or something like this? We're now in a place where we can add a lot of different paths at the root. It seems dangerous to have something on /

[lobkovilya]

Maybe good time to start prefix it with version?

[lahabana]

You mean http API version?

[lahabana]

Maybe though we'd still need a policy prefix or equivalent right?

[lobkovilya]

btw, I didn't touch the code that generates API endpoints, so simple change of templates/endpoints.yaml is not enough. I'd keep this change until we implement first policy using generators